Cloudflare, the next big cybersecurity IPO company, says it may have violated US law by doing business with terrorists and narcotics traffickers

Cybersecurity company Cloudflare is about to become public
company, possibly as soon as this week, and there are indicators
that investors are ready to buy in.

However, the company also quietly updated its S-1 filing to
go public to disclose that it may have broken the law in ways
including including selling its services to terrorists, to
narcotics traffickers, and to governments being sanctioned by the
US.

It also may have violated laws governing exporting encryption
technology, it said in the filing.

Cloudflare has for years faced scrutiny over its role in
protecting some of the darkest corners of the internet.

Cloudflare gave a strong indication that its IPO roadshow is
going well, when on Wednesday it increased its pricing range on
Wednesday to $12 to $14 per share - up from $10 to $12 per share.

This should value the company at between $3.5 billion and $4.1
billion at the time of its IPO, exceeding its
last private valuation of $3.25 billion. The company is
expected to go public later this week, possibly as soon as
Thursday.

But then the company also raised
eyebrows by filing an amended S-1 form, its IPO prospectus,
in which it admitted it may have violated US law. It sold its
services to entities blacklisted by US government including
terrorists, narcotics traffickers and sanctioned governments, it
said in the filing.

Specifically, Cloudflare said (emphasis ours):

"We identified that our products were used by, or for the
benefit of, certain individuals and entities included in OFAC's
Specially Designated Nationals and Blocked Persons List (the
SDN List), including entities identified in OFAC's
counter-terrorism and counter-narcotics trafficking sanctions
programs, or affiliated with governments currently subject to
comprehensive U.S. sanctions. A small number of these
parties made payments to us in connection with their use of our
platform."

It also disclosed it may have broken US laws governing exporting
encryption hardware.

Cloudflare offers a service that helps website operators keep
their sites up and running even if hackers attempt to bring the
website down, or if parts of the internet go down. The company
says its network spans 194 cities in over 90 countries and
connect with major internet providers and big corporate networks
alike.

It may have installed encryption hardware in some of these
overseas places in violation of the law, it explained:

"In 2019, we learned that we may have failed to comply with
certain U.S. export-related filing and reporting requirements
and may have submitted incorrect information to the U.S.
government in connection with certain hardware exports."

Cloudflare has faced criticism for years over how it helped
protect some of the darkest corners of the internet. Its has also
been praised when it has kicked such entities off its network.

For instance, Cloudflare said its platform was used by 8chan, the
online forum which "served as an inspiration" for the deadline
mass shootings in El Paso, Texas and Christchurch, New Zealand.
In April, after the El Paso shooting. The company
announced that 8chan was no longer a customer, describing the
forum as a "cesspool of hate."

In 2017, it faced a similar publicity storm when it admitted its
network had been used by The Daily Stormer, the neo-Nazi white
supremacist website, which became infamous for its role in the
2017 protests in Charlottesville, Virginia. Cloudflare later
terminated
the group's account.

The company says it disclosed the information about the
blacklisted entities using its site to the appropriate government
agency in May, 2019.

While Cloudflare promises it is doing all it can to prevent its
service being used illegally, it says this remains a risk
(emphasis ours):

"Although we have implemented, and are working to implement
additional controls and screening tools designed to prevent
similar activity from occurring in the future, there is
no guarantee that we will not inadvertently provide our
products to additional individuals, entities, or governments
prohibited by U.S. sanctions in the future. "